CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt [www.qualys.com]
2023-07-21 20:31
tags:
best
c
exploit
library
linux
security
turtles
While browsing through ssh-agent’s source code, we noticed that a remote attacker, who has access to the remote server where Alice’s ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib on Alice’s workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default).
Surprisingly, by chaining four common side effects of shared libraries from official distribution packages, we were able to transform this very limited primitive (the dlopen() and dlclose() of shared libraries from /usr/lib) into a reliable, one-shot remote code execution in ssh-agent (despite ASLR, PIE, and NX). Our best proofs of concept so far exploit default installations of Ubuntu Desktop plus three extra packages from Ubuntu’s “universe” repository. We believe that even better results can be achieved (i.e., some operating systems might be exploitable in their default installation):
source: HN
15 years later: Remote Code Execution in qmail (CVE-2005-1513)
https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt [www.qualys.com]
2020-05-20 00:47
tags:
c
exploit
malloc
programming
security
In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. We recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.
source: solar
Authentication vulnerabilities in OpenBSD
https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt [www.qualys.com]
2019-12-04 20:08
tags:
auth
development
exploit
openbsd
programming
security
We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
System Down: A systemd-journald exploit
https://www.qualys.com/2019/01/09/system-down/system-down.txt [www.qualys.com]
2019-01-10 03:41
tags:
exploit
linux
malloc
security
Despite this initial success, we abandoned the exploitation of CVE-2018-16864: while working on our proof of concept, we discovered two different vulnerabilities (CVE-2018-16865, another attacker-controlled alloca(), and CVE-2018-16866, an information leak) that are reliably exploitable on both i386 and amd64.
source: L
The Stack Clash
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt [www.qualys.com]
2017-06-19 20:34
tags:
best
c
compsci
exploit
linux
malloc
openbsd
paper
programming
security
sorting
systems
unix
This is a great writeup, further developing an existing but overlooked exploit technique. Maybe not all the exploits worked, but lots of vulns found, and some countermeasures eluded.
source: L